Process for securing the privacy of data transmission

ABSTRACT

A method for assuring data transmission between control units in a motor vehicle is proposed, which units are connected to one another via a data bus, wherein the communication between the devices occurs in an encoded form and an encoding is dependent on secret keys stored in the control units and on a random value that changes over time.

PRIOR ART

[0001] The invention is based on a method for assuring data transmission between control units in a motor vehicle, according to the preamble to the main claim.

[0002] A use of data transmission in which a particularly secure transmission of data between control units is required is known from DE 44 42 103. Said instance concerns an antitheft device for motor vehicles in which an immobilizer influences the release of a motor control device. In order to release the motor control device, a code must be input into a code reception device and the locking control device must thereby be triggered. The data communication between the control units travels via an on-board bus. In the known prior art, the immobilizer is in fact set into operation by way of a key code that is only accessible to the user; the communication between the immobilizer control unit and a motor control unit takes place in an uncoded manner via the serial data transmission line. Since a releasing signal or locking signal of this kind is a very simple signal, which in the extreme case is comprised of one bit, such a signal can be manipulated very easily. It would be possible in such a method to feed in a manipulated signal by detaching a connecting line. A signal thus manipulated could easily be carried out by replaying a signal previously received and recorded from this transmission line.

ADVANTAGES OF THE INVENTION

[0003] The method according to the invention, with the characterizing features of the main claim has the advantage over the prior art that the data transmission between the control units takes place in an encoded form and that such a data transmission is not easy to manipulate. Thus detaching the connecting line and eavesdropping on the encoded signal transmitted via the line cannot produce successful results. Also, a replacement e.g. of the control unit for the immobilizer, as well as the replacement of the motor control unit does not produce successful results because the keys present in the devices no longer coincide. Also, the detachment and reconnection of battery voltage cannot influence the data transmission. Reading the memory of the control units and manipulating internal keys disposed in them also does not lead to any normal communication between the control units. Even the replacement in pairs of a motor control unit and a device for the immobilizer does not produce successful results since the key known only to the user is still lacking.

[0004] Advantageous improvements and updates of the method disclosed in the main claim are possible by means of the measures taken in the dependent claims. It is particularly advantageous that the communication between the control units in the form according to the invention is to be used for the security relevant communication between the control unit of an immobilizer and the control unit of a motor control.

[0005] Advantageously, the motor control obtains the random bit sequence, which represents the basis for the encoding, from sensor data present in the vehicle, which can be accessed via the data stream on the bus.

[0006] For security reasons, in order to prevent the random bit sequence from being guessed by trial and error, the random bit sequence should have a length of four bytes. Even for the length of the internal key, which is used for encoding messages between the control units, a length of at least 4 bytes is advantageous.

[0007] In order to produce a cryptogram with the key obtained, a signal byte is added bitwise modulo 2 to a first byte of the key, the result is subjected to a permutation and its result is then subjected to further additions or multiplications with the other bytes of the key byte. The resulting signal byte is comprised of the individual results of the encoding steps. The encoding method according to the invention can function with various permutation tables. In particular, the permutation can also be realized through multiplication. A increase in the security of the encoding is achieved by encoding steps that operate in parallel with one another.

DRAWINGS

[0008] An exemplary embodiment of the invention is represented in the drawings and explained in more detail in the description that follows.

[0009]FIG. 1 shows the progression of a communication between two control units,

[0010]FIG. 2 shows a motor control in an immobilizer being set into operation, and

[0011]FIG. 3 shows the encoding method.

DESCRIPTION OF THE EXEMPLARY EMBODIMENT

[0012] The communication between two control units 1 and 2 according to FIG. 1 takes place after the introduction of a key 20 into the first control unit, e.g. the immobilizer. This key signal 20 can be an encoded key, an encoding introduced by way of a chip card, a radio code, etc. The key signal 20 is detected by the immobilizer 4 and a signal 24 that a valid key is present is sent on the data line. This signal fulfills a wake-up function for the control unit 2. In step 3, the control unit generates a random bit sequence 21 of an n_(t) bit length, stores this bit sequence and transmits it to the control unit 1. The number of bits in the random sequence must be selected as so great that a criminal who has possession of the device or the vehicle is not in a position to ascertain and record all possible solutions to all of the random bit sequences by trial and error. If one takes into consideration the length of the random bit sequence as a function of the number of possible permutations, for a random bit sequence 21 of one byte in length, the result is a sum of one times 265 bytes, with a length of 4 bytes, the result is already a number of four times 256⁴=17.2 GBytes. Storing such an amount of data is no longer easily possible, even for a thief. After the transmission of the random bit sequence, in step 5 or 6, i.e. in both control units at the same time, a cipher generator is initialized with the internal key 20′. In this connection, the key 20′ is present in both the control unit 1 and the control unit 2. In the case of a correct initiation, the internal key is the same for both devices. However, this fact in particular must first be tested by means of the communication. The length of the key 20′ must be selected as so great that its ascertainment by trial and error is precluded. Naturally, a criminal can accidentally obtain the right key even on the first attempt, but this can also just as easily happen on the last possible key. Therefore, the assumption is that on average, the criminal must try half of all possible keys in order to be successful. A comparison of the times that a potential criminal must expend in order to try out different keys is given below: With a key length of 1 byte, a criminal requires one half times 2⁸ seconds=128 seconds, if one assumes that the criminal makes one attempt per second. If the key length is increased to 2 bytes, already approx. 9 hours are required, when it is increased to 3 bytes, 97 days are needed, and at 4 bytes, 69 years are required. A length of 3 bytes therefore seems to be a sufficient key length. However, if one also takes into consideration the fact that parallelization and similar methods can multiply the speed tenfold or even a hundred-fold, a value of 4 bytes is indicated for this use.

[0013] The key 20′ must be accommodated in both the control unit 1 and the control unit 2 so that it cannot be read. It must also be impossible for it to be changed or overwritten by an unauthorized person. On the other hand, in the event of a necessary repair, it must also be possible to replace and re-initialize defective parts, e.g. control units or parts of control units. There is thus a higher cost for encoding and storing the key 20′ in the electronics of the control units. The key code 22 is generated in steps 7 and 8 with the key 20′ and the random bit sequence 21. The key code 22 is used to encode a message to be sent by the control unit 1 to the control unit 2 and vice versa. The first message of the control unit 1 is comprised of a text, in which at least n_(r) bits are unchanging (redundant) and which is known to the control unit 2. In step 9, this resulting cryptogram is transmitted in the length of n_(s) bits. The length n_(s) is the length of the data that is exchanged as needed in an additionally encoded manner, plus the length n_(r) of the redundant bits. The concatenation of the message with the key code in step 9 can take place through the bitwise addition modulo 2. In this instance, the additionally encoded data 20 sent cannot be understood and interpreted by unauthorized persons, but bits can still be intentionally produced at designated positions and possibly inverted in an undetected manner for the vehicle electronics and consequently commands can be falsified. However, this can be prevented by means of the additional introduction of a text return, which results in an error propagation. If the additional data is transmitted before the unchanging identification signal, then the latter is changed in an arbitrary falsification of the additional data and the manipulation attempt is detected in any case. The establishment of communication thus remains unsuccessful. In step 10, the unchanging bit sequence of n_(r) bit length contained in the cryptogram that has been received and decoded is compared to the stored unchanging bit sequence and the unchanging n_(r) bits are thus checked for correctness. In the next step, when the comparison result is correct and e.g. a motor control unit releases the motor, and the remaining n_(s)-n_(r) decoded data-carrying bits of the message 23 are output. If the comparison with the message 23 indicates that an error has occurred, e.g. by means of a manipulation attempt, the motor remains locked. In this manner, functions in the control units can be blocked.

[0014]FIG. 2 shows the progression of the communication between an immobilizer and a motor control unit. The crypto-algorithm in the motor control unit is brought into an initial state by means of random influence quantities that are indicated by an arrow. The motor control unit is in the active state 14 while the immobilizer is locked 13. The crypto-algorithm in the control unit sends its signal in the form of at least 4 bytes to the control unit of the immobilizer in order to initialize and crypto-synchronize 15 this control unit. The control unit of the immobilizer is initialized 17 and begins with the transmission of an arbitrary amount (n_(s)/8) bytes of encoded data to the motor control 18. The authenticity of the data is discerned by virtue of the fact that can be correctly decoded. In order to check this and thereby to permit travel, the data sent must contain sufficient redundancy n_(r), i.e. data already known previously to the receiver. As an example, therefore, the encoded data sent by the immobilizer to the motor control should contain at least 16 bits of data known to the motor control, which the motor control must recognize after decoding. These can, for example, be two bytes with 00 or 11 or another fixed bit pattern. In encoded signals, these two bytes cannot be recognized; they are encoded differently each time. For this reason, they also cannot be falsified by a third party who does not known the key code 22. The 16 redundant bits do not absolutely need to be transmitted enclosed in the form of two bytes, they can also be arbitrarily encapsulated in the data to be transmitted in encoded form. They must then be individually verified in the motor control by means of comparison to the expected bit pattern.

[0015]FIG. 3 shows the actual crypto-algorithm which is comprised of four identical modules 27 connected in sequence. In FIG. 3, a + indicates the bitwise addition modulo 2, a * indicates the multiplication modulo 257. The four bytes of the key code 22 are indicated with 28, the output bytes of the module 27 are indicated with 29. The input byte 26 of each module is first added bitwise modulo 2 to a byte 28 of the key code; in other words, each byte of the input byte is EXOR-concatenated with an equivalent byte of the respective key byte. In terms of both the calculation modulo 256 and the bitwise modulo 2 addition, the result is subjected to nonlinear permutations. These permutations can be carried out best with a table which, however, generally requires a lot of storage space in ROM. It is almost precisely as favorable to carry out the permutation by means of multiplication with an odd number between 3 and 253 modulo 257, wherein at the output, the value 256 is to be replaced by the value resulting from the input value 256, i.e. by means of (256*F) modulo 257. F is an odd factor. With the exception of the last module 27, the output byte 29 of each module is supplied to the input of the succeeding one. The bitwise modulo 2 sum of the output bytes 29 constitutes the output byte 23, which is used for encoding and decoding by means of bitwise modulo 2 addition to the clear or secret byte.

[0016] Other Exemplary Embodiments

[0017] The above-described crypto-algorithm can be modified in various ways: The odd factors F_(I), can be selected in a wide range from 3 to 253 and can be chosen as different for each module 27.

[0018] The choice of average values is advantageous. In the sequence, as has already been indicated above, other modules 27 can be added, which extends the length of the secret key, but also extends the length of the synchronization lead time and the length of the error propagation. If a lengthening of only the key code 22 is desired, without lengthening the synchronization, another sequence can be added in parallel, whose input is connected to the input of the first sequence and whose outputs are added bitwise modulo 2 to the outputs of the first. If the intent is to have an endlessly long error propagation, then after the synchronization has been achieved, the configuration of the sender side can be exchanged with that of the receiver side.

[0019] The method according to the invention permits an encoded communication of control units, of parts of the control units, or of individual electronic modules by way of a suitable connection. The method can be used for the transmission of individual control signals as well as for large quantities of data. 

1. A method for assuring data transmission between at least two control units in a motor vehicle, which are connected to each other via a data bus, characterized in that one of the control units transmits a random bit sequence (21) on the data bus, in all control units, a key code (22) is produced with the random bit sequence (21) and an internal key (20′), and one of the control units sends a message (23) produced with the key code (22) and, in the receiving control units, this message is checked as to its correct encoding with the key code (22) and is read.
 2. The method for assuring data transmission according to claim 1, characterized in that a first control unit (1) is set into operation with a key signal (20), by means of the first control unit (1), the received key signal (20) is acknowledged on the data bus by means of a wake-up signal (24), a second control unit (2) is initialized to the wake-up signal (24), the second control unit (2) begins with the transmission of a random bit sequence (21) to the first control unit (1), in both control units, a key code (22) is produced with the random bit sequence (21) and an internal key (20′), and the first control unit (1) sends a message (23) that is checked as to its correct encoding with the key code (22) in the control unit (2).
 3. The method for assuring data transmission according to claim 1 or 2, characterized in that the first control unit (1) is an immobilizer, the second control unit (2) is a motor control and in that with correct encoding of the message (23), which is sent to the motor control (2), a release occurs.
 4. The method for assuring data transmission according to claims 1 to 3, characterized in that the random bit sequence (21) is generated from existing sensor data of the control unit (2).
 5. The method for assuring data transmission according to claims 1 to 4, characterized in that a length of at least 4 bytes is established for the random bit sequence (21).
 6. The method for assuring data transmission according to claims 1 to 5, characterized in that the length of the key code (22) is established with at least 4 bytes.
 7. The method for assuring data transmission according to claims 1 to 6, characterized in that in order to produce a message (23), in a number of modules (27), a signal byte (25) has a byte (28) of the key code (22) added to it bitwise, modulo 2, then is subjected to a permutation and the result is entered into the next module (27) and that after each process step, the respective result (29) is combined into an encoded signal byte (23).
 8. The method for assuring data transmission according to claims 1 to 7, characterized in that the permutation takes place through multiplication modulo 257 of the value of the input byte with a factor Fi.
 9. The method for assuring data transmission according to claim 8, characterized in that the factor Fi can be freely selected from between 3 and 253 for each encoding module (27).
 10. The method for assuring data transmission according to claims 1 to 8, characterized in that the encoding is achieved by way of a number of crypto-generator sequences operating in parallel to one another.
 11. The method for assuring according to claims 1 to 10, characterized in that the encoded message (23) contains redundant data that is known to the receiving control units and is checked for correctness by the control units.
 12. The method for assuring according to claims 1 to 11, characterized in that with a negative result of the check, an error message is generated and/or functions of the control units are interrupted. 